Designing VCS-C and VCS-E Setup

We currently have a VCSc that is working properly internally on our network. Recently we purchased a VCSe so that we can have external employees register to and connect to users inside the private network.

Originally I designed based on Cisco's deployment guide which puts the VCS Expressway inside the DMZ. After setting up firewall rules, NAT, etc, we could not get the configuration to work. I contacted Cisco TAC and they are informing me that we need to have the Dual NIC option in order to assure this type of setup works properly.

We would prefer to set this up without having an extra option key, so my next change was to put the VCS Expressway outside the firewall, on the public network directly. From what I understand, this is the normal intended design. However I'm having problems making it work correctly. I'm sure I'm missing something simple here.

First, when I am on internal network, I can see the traversal zone configured to VCS-E public IP and it shows connected for H.323 and SIP. Also I have a search rule which lets me dial a public test IP from internal and the call does flow properly out to the VCS-E and connects.

My main problem is going the other direction. I can't seem to register to the VCS-E. I have the configuration proper so that it should proxy back to the VCS-C, however what I can't figure out is how the VCS-E on public network is going to access an internal IP on our network. I do indeed see the requests hit the VCS-C, however it never registers, just tells me there is a problem and to contact IT support. Maybe I'm not grasping how this works and there is a different configuration issue.

Anyone have any ideas? Does my setup sound correct, or did I miss a step somewhere. I would appreciate any help, I can provide more info if necessary.

Hi All,
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
view more

The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.
...
view more